Detection of unauthorized encryption using key length evaluation
Abstract
Techniques are provided for detection of unauthorized encryption in a storage system using key length evaluation. One method comprises determining a key length of an encryption key used to encrypt data associated with one or more write commands in a storage system; evaluating the key length relative to an expected key length; and performing one or more automated remedial actions, such as generating an alert notification, in response to the key length being different than the expected key length. A count of a number of write operations in a given folder can be compared to a number of files in the given folder and an alert notification can be generated in response to the count of the number of write operations in the given folder having a same value as the number of files in the given folder.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A method, comprising:
determining a key length of an encryption key used to encrypt data associated with one or more write commands in a storage system;
obtaining an expected encryption key length of at least one encryption process used to encrypt data in the storage system;
evaluating the key length relative to the expected encryption key length; and
performing one or more automated remedial actions in response to the key length being different than the expected encryption key length;
wherein the method is performed by at least one processing device comprising a processor coupled to a memory.
2. The method of claim 1 , wherein the expected encryption key length is based at least in part on an expected encryption key length for an encryption in one or more of an operating system of the storage system, a network environment of the storage system and system configuration data of the storage system.
3. The method of claim 1 , wherein the determining the key length of the encryption key further comprises determining the key length of the encryption key used for an encryption by an operating system portion of the storage system and determining the key length of the encryption key for an encryption used by at least one additional portion of the storage system.
4. The method of claim 1 , further comprising comparing a count of a number of write operations in a given folder to a number of files in the given folder.
5. The method of claim 4 , wherein the comparing the count of the number of write operations is performed in response to the key length having a same value as the expected encryption key length.
6. The method of claim 4 , further comprising generating an alert notification in response to the count of the number of write operations in the given folder having a same value as the number of files in the given folder.
7. The method of claim 1 , wherein the one or more automated remedial actions comprise generating an alert notification in response to the key length being different than the expected encryption key length.
8. An apparatus comprising:
at least one processing device comprising a processor coupled to a memory;
the at least one processing device being configured to implement the following steps:
determining a key length of an encryption key used to encrypt data associated with one or more write commands in a storage system;
obtaining an expected encryption key length of at least one encryption process used to encrypt data in the storage system;
evaluating the key length relative to the expected encryption key length; and
performing one or more automated remedial actions in response to the key length being different than the expected encryption key length.
9. The apparatus of claim 8 , wherein the expected encryption key length is based at least in part on an expected encryption key length for an encryption in one or more of an operating system of the storage system, a network environment of the storage system and system configuration data of the storage system.
10. The apparatus of claim 8 , wherein the determining the key length of the encryption key further comprises determining the key length of the encryption key used for an encryption by an operating system portion of the storage system and determining the key length of the encryption key for an encryption used by at least one additional portion of the storage system.
11. The apparatus of claim 8 , further comprising comparing a count of a number of write operations in a given folder to a number of files in the given folder.
12. The apparatus of claim 11 , wherein the comparing the count of the number of write operations is performed in response to the key length having a same value as the expected encryption key length.
13. The apparatus of claim 11 , further comprising generating an alert notification in response to the count of the number of write operations in the given folder having a same value as the number of files in the given folder.
14. The apparatus of claim 8 , wherein the one or more automated remedial actions comprise generating an alert notification in response to the key length being different than the expected encryption key length.
15. A non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes the at least one processing device to perform the following steps:
determining a key length of an encryption key used to encrypt data associated with one or more write commands in a storage system;
obtaining an expected encryption key length of at least one encryption process used to encrypt data in the storage system;
evaluating the key length relative to the expected encryption key length; and
performing one or more automated remedial actions in response to the key length being different than the expected encryption key length.
16. The non-transitory processor-readable storage medium of claim 15 , wherein the expected encryption key length is based at least in part on an expected encryption key length for an encryption in one or more of an operating system of the storage system, a network environment of the storage system and system configuration data of the storage system.
17. The non-transitory processor-readable storage medium of claim 15 , wherein the determining the key length of the encryption key further comprises determining the key length of the encryption key used for an encryption by an operating system portion of the storage system and determining the key length of the encryption key for an encryption used by at least one additional portion of the storage system.
18. The non-transitory processor-readable storage medium of claim 15 , further comprising comparing a count of a number of write operations in a given folder to a number of files in the given folder and generating an alert notification in response to the count of the number of write operations in the given folder having a same value as the number of files in the given folder.
19. The non-transitory processor-readable storage medium of claim 18 , wherein the comparing the count of the number of write operations is performed in response to the key length having a same value as the expected encryption key length.
20. The non-transitory processor-readable storage medium of claim 15 , wherein the one or more automated remedial actions comprise generating an alert notification in response to the key length being different than the expected encryption key length.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.